Possible OS X Trojan?

bbloke, those links raise some interesting points, but I have to disagree with them when they say this is not a problem with Safari. The deeper "problem" they examine is not much of a problem at all, because it requires the user to specifically open the file. Disguising an application as a plain ol' file is the oldest trick in the book, and there's just no way around it. Common sense neatly patches up this "security hole".

Unsanity is making too big a deal about LaunchServices. The problem, as they portray it, is that you can make these shell scripts have a JPEG icon when they're really executable. Well, you've been able to do that on the Mac for 20+ years. It's called a custom icon. Just Get Info on the file, and paste on a JPEG icon. This has exactly the same effect as the method currently used by the exploit — except that it won't trigger Safari's security hole.

It's very easy — on any platform — to make a program look like a harmless file. Users simply need to be careful what they open. This will never change, and it is not a flaw of any OS.

I agree that what Unsanity describes is poor design (it should be per-user, not per-file), but it's not a big issue when it comes to security.

The problem here IS with Safari, because as it is set up now, simply visiting a web site — and doing nothing else — could lead to some unknown arbitrary program getting installed and executed. This is all because Safari is naive and doesn't use caution when identifying and opening unknown files.

Edit: I should have read the first link more thoroughly. The last bit they mention, about sending attachments with the "x-unix-mode=0755" tag set, is definitely a problem. Any file that has the executable bit set should definitely be displayed as an application in the Finder, so I agree that this is something that needs to be fixed in the OS. But this is actually a different issue that the "strong bindings" problem Unsanity is talking about.
 
but it happens in Mail.app, too now. So in the worst case, somebody uses an E-Mail address you know as the sender and sends you a "JPEG". And if you merely click on it in the mail window, the script is executed in Terminal.app. While I agree it still involves a user's click, it's still something that should be considered in Launch Services. Maybe even this specific case...
 
I heard on the radio today that someone found a serious flaw in Safari allowing someone to hack in and delete files on the computer... Anyone know what thats about? I had just woken up and only heard about half of the report...
 
Had to merge your thread with this one, Parke... Somehow, though, your thread title didn't make it into your post title. :/ ... You asked whether Safari got hacked. You'll find answers in _this_ thread about it. But "Safari hacked" is definitely the wrong term...
 
There are actually two different things we're talking about that affect Mail now. One is the same thing hitting Safari (a zipped up shell script that looks like a JPEG and is set to open in Terminal), and the other is an application that you can email, unzipped, that appears to be a JPEG. They sound very similar, but the method of trickery is distinctly different.

Last year, after something like this happened, Apple added a feature to OS X that asks the user for confirmation before loading an application for the first time. For some reason, Apple only made this confirmation screen appear when the application loaded through certain means (for example, double-clicking an associated file). The only way Apple can really prevent the application-that-looks-like-a-file problem is by making this confirmation dialog appear the first time an application is loaded by any means, even by the user explicitly double-clicking it. Apple really should do this. It'd be annoying, but that's the price of security, I suppose.
 
I'm not sure that will help much. For example, if a user has already opened the Terminal, then there will be no confirmation if they get hit with one of these (the drive-by download in Safari, the emailed app-that-looks-like-a-jpeg)

Even if you forced the user to first save the file to the desktop, then open it from there, the problem stays the same - the OS gives every indication that the file is harmless, but when it's opened, it is treated as an application.

To really solve this will involve some serious hard decisions about how to deal with the OS 9 legacy of file/creator codes - decisions that should have been made sometime before OS X public beta. Unfortunately, I don't really trust that Apple has the will to make these decisions now.
 
Hmm. Even shell scripts need to have the executable bit set, so Launch Services should be able identify them as dangerous before opening them just as if they were real applications, right?
 
Not being a "Techie" I am only marginally concerned. However, is it safe to say that doing the following will provide some measure of security? In Safari preferences, shutting off the "open safe files after download" option would be a good place to start until Apple releases a patch? I tend not to open any files that I'm not sure of their origin but one never knows. Especially if its a forwarded file. OSX is new to me so I haven't the experience of much Admin input.
 
Absolutely - turn off "open safe files after download", and don't manually open anything that you didn't expect to start downloading from a website. That and don't open email attachments you weren't expecting, and you will be safe from not only these particular problems, but probably the next ones to show up too.
 
It seems that the originator of InqTana has given an interview!

http://www.securityfocus.com/columnists/389

Why did you decide to make a worm out of the vulnerability?

 Finisterre: I have heard of so many folks touting that misconception that Macs can't get viruses that I thought it was about time to start a dialog with some of the AV (antivirus) companies and express some of my ideas. In the process of confirming my own concerns, this code was created. I am not one for talking about things in concept form - I like to actually implement and prove a concept.

The idea that Macs can't get viruses is simply absurd and I wanted to highlight that fact. It was pure coincidence that Leap.A had already (been created to) set out to prove that the old wives tale is false.

InqTana was more or less an exercise in proving folks wrong about the possibilities of Mac malware.
Click to expand...


Which of the three above methods do you think will be used by future worm and virus authors the most? Hopefully Apple will take note and address these areas of concern.

 Finisterre: The InputManager technique seems to be very powerful. Using it to hook either - init or for a MethodSwizzle will most definitely be a popular thing to do. The primary reason I think it will be used often is due to the fact that it is portable across major versions of OS X. The launchd and dyld techniques are more specific to a particular version of OS X.
Click to expand...


Are you worried about prosecution at all?

 Finisterre: Since this code was not maliciously released into the wild, I honestly had only given a little thought to it. I honestly see this being no different than any of the other exploits and full-disclosure-style releases that I do. I had asked a few folks to turn me on to malware specific laws, but I have yet to get any responses.

I was hoping that by being responsible and keeping this limited to proof-of-concept code, it would not come to that. I think it would be a shame to prosecute someone that did not have malicious intent.
Click to expand...
 
Just a note that the 1 March 2006 Security Update seems to recognize this issue:

* Safari, LaunchServices

CVE-ID: CVE-2006-0394

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Viewing a malicious web site may result in arbitrary code execution

Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
 
(Just keep in mind that while Safari etc. won't _autoexecute_ the scripts any longer, if you doubleclick those "JPG" files, they still open and execute in Terminal. Same goes for such files that you get by Mail.app and doubleclick them there.)
 
You must log in or register to reply here.
Back
Top